Electron-packager: npm audit security report - Prototype Pollution
Preflight Checklist
- [x] I have read the contribution documentation for this project.
- [x] I agree to follow the code of conduct that this project follows, as appropriate.
- [x] I have searched the issue tracker for a bug that matches the one I want to file, without success.
Issue Details
- Electron Packager Version:
- 14.2.1
- Electron Version:
- 8.2.5
- Operating System:
- Windows 10 (1909)
Expected Behavior
npm audit command should return no vulnerabilities
Actual Behavior
npm audit command returns
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Low Prototype Pollution
Package yargs-parser
Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2
Dependency of electron-packager [dev]
Path electron-packager > yargs-parser
More info https://npmjs.com/advisories/1500
found 1 low severity vulnerability in 5101 scanned packages
1 vulnerability requires manual review. See the full report for details.
ZaDarkSide
All 15 comments
馃憢 Thanks for opening your first issue here! If you have a question about using Electron Packager, read the support docs. If you're reporting a 馃悶 bug, please make sure you include steps to reproduce it. Development and issue triage is community-driven, so please be patient and we will get back to you as soon as we can.
To help make it easier for us to investigate your issue, please follow the contributing guidelines.
![welcome[bot] picture](https://avatars0.githubusercontent.com/in/4141?v=4&s=40)
welcome[bot]
on 10 May 2020
I found that electron-packager is using yargs-parser v16.x, but all of versions of yargs-parser v16.x have this problem and they won't fix them immediately. Maybe we need to use v18.x of yargs-parser, but I don't know if the interface of yargs-parser have changed.
luisleee
on 23 May 2020
I'm facing
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Low Prototype Pollution
Package yargs-parser
Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2
Dependency of react-scripts
Path react-scripts > webpack-dev-server > yargs > yargs-parser
More info https://npmjs.com/advisories/1500
found 1 low severity vulnerability in 1606 scanned packages
1 vulnerability requires manual review. See the full report for details.
I'm facing this problem ..canyone plz help me.
nidhigupta09
on 27 Jun 2020
This should be fixed with version 15.0.0.
malept
on 27 Jun 2020
Thank you malept but 15.0.0 version is not available
current version is 14..4.0
nidhigupta09
on 28 Jun 2020
malept
on 28 Jun 2020
it show
npm WARN [email protected] requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.
nidhigupta09
on 28 Jun 2020
I believe you can safely ignore that warning. It's just a warning.
ZaDarkSide
on 28 Jun 2020
but why it is show "found 1 low severity vulnerability
run npm audit fix to fix them, or npm audit for details"
and my reactapp is not create ,
nidhigupta09
on 28 Jun 2020
it show
Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts with cra-template...
[email protected] postinstall C:\Users\hp\my-app\node_modules\babel-runtime\node_modulescore-js
node -e "try{require('./postinstall')}catch(e){}"
[email protected] postinstall C:\Users\hp\my-app\node_modulescore-js
node -e "try{require('./postinstall')}catch(e){}"
[email protected] postinstall C:\Users\hp\my-app\node_modulescore-js-pure
node -e "try{require('./postinstall')}catch(e){}"
- [email protected]
- [email protected]
- [email protected]
- [email protected]
added 1602 packages from 751 contributors and audited 1606 packages in 411.216s
59 packages are looking for funding
run npm fund for details
found 1 low severity vulnerability
run npm audit fix to fix them, or npm audit for details
src and public folder is not created.
nidhigupta09
on 28 Jun 2020
Run npm audit and post the details.
ZaDarkSide
on 28 Jun 2020
\my-app>npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Low Prototype Pollution
Package yargs-parser
Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2
Dependency of react-scripts
Path react-scripts > webpack-dev-server > yargs > yargs-parser
More info https://npmjs.com/advisories/1500
found 1 low severity vulnerability in 1634 scanned packages
1 vulnerability requires manual review. See the full report for details.
nidhigupta09
on 28 Jun 2020
This is a problem with webpack-dev-server package not electron-packager.
You can post them an issue about this here https://github.com/webpack/webpack-dev-server/issues
ZaDarkSide
on 28 Jun 2020
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Low Prototype Pollution
Package yargs-parser
Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2
Dependency of react-scripts
Path react-scripts > webpack-dev-server > yargs > yargs-parser
More info https://npmjs.com/advisories/1500
found 1 low severity vulnerability in 1611 scanned packages
1 vulnerability requires manual review. See the full report for details.
RejithReghunathan
on 11 Aug 2020
@RejithReghunathan this is a problem with webpack-dev-server, not Electron Packager.
Everyone else:
This has been fixed in Electron Packager 15.0.0. I'm locking this because there hasn't been any further on-topic comments since it was resolved.
malept
on 11 Aug 2020
Related issues
akcorp2003
路
4Comments
wgrhstf
路
4Comments
Bharwcb
路
5Comments
quadrophobiac
路
4Comments
andreabisello
路
3Comments
Most helpful comment
This should be fixed with version 15.0.0.